def initialize(info = {})
super(update_info(info,
'Name' => 'iTunes Extended M3U Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7.
When opening an extended .m3u file containing an "#EXTINF:" tag description,
iTunes will copy the content after "#EXTINF:" without appropriate checking
from a heap buffer to a stack buffer and write beyond the stack buffers boundary.
This allows arbitrary code execution.
The Windows XP target has to have QuickTime 7.7.2 installed for this module
to work. It uses a ROP chain from a non safeSEH enabled DLL to bypass DEP and
safeSEH. The stack cookie check is bypassed by triggering a SEH exception.
},

## NOTE ##
# Exploit works best if iTunes is not running and the user browses to a malicious page.
# But even if iTunes is already running and playing music, the exploit worked reliably
#
# remote code execution is possible via itms:// handler, which instructs a browser to open
# iTunes:
# Safari does not prompt for iTunes itms links -> RCE without user interaction
# Firefox, Opera, and IE ask the user for permission to launch iTunes
# Chrome asks for permission and spits a big warning